Tweet
em đang học về cấu hình site-to-site VPN, nên kiến thức còn hạn chế, mong các anh giúp em vơi ???
topo
em muốn cấu hình VPN site-to-site từ loopback 0 của Router 1 đến loopback 0 của Router 3
em cấu hình theo topo trên, khi em cấu hình xong, em kiểm tra hoạt động của VPN, nhưng em không thấy VPN hoạt động,
đây là 2 file cấu hình của R1 và R3:
R1:
R3:
em dùng lệnh : show crypto ipsec sa
R1:
R2:
em dùng lệnh: show crypto isakmp sa
để kiểm tra quá trình thiết lập IKE
em không hiểu tại sao lại không có thông tin gì ???
và thêm lệnh : show crypto engine connections active
cũng không có thông tin gì luôn.
Không biết em cấu hình sai ở chổ nào?
Mong các anh chỉ giúp ! :112:
Em là newbie, nếu em post bài không đúng box thì các mod và admin bỏ qua cho em nhé
topo
em muốn cấu hình VPN site-to-site từ loopback 0 của Router 1 đến loopback 0 của Router 3
em cấu hình theo topo trên, khi em cấu hình xong, em kiểm tra hoạt động của VPN, nhưng em không thấy VPN hoạt động,
đây là 2 file cấu hình của R1 và R3:
R1:
R1#show running-config
Building configuration...
Current configuration : 1192 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username ccna privilege 15 password 0 ccna
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 12345 address 10.0.0.2
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map test1 1 ipsec-isakmp
set peer 10.0.0.2
set transform-set test
match address 100
!
!
!
!
interface Loopback0
ip address 10.10.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex auto
speed auto
crypto map test1
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router rip
version 2
network 10.0.0.0
network 172.16.0.0
no auto-summary
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 100 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
end
R1#
Building configuration...
Current configuration : 1192 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username ccna privilege 15 password 0 ccna
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 12345 address 10.0.0.2
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map test1 1 ipsec-isakmp
set peer 10.0.0.2
set transform-set test
match address 100
!
!
!
!
interface Loopback0
ip address 10.10.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex auto
speed auto
crypto map test1
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router rip
version 2
network 10.0.0.0
network 172.16.0.0
no auto-summary
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 100 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
end
R1#
R3#show run
Building configuration...
Current configuration : 1461 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username ccna privilege 15 password 0 ccna
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 12345 address 172.16.1.2
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map test1 1 ipsec-isakmp
set peer 172.16.1.2
set transform-set test
match address 100
!
!
!
!
interface Loopback0
ip address 10.10.2.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
ip address 10.0.0.2 255.255.255.252
serial restart-delay 0
clock rate 64000
crypto map test1
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router rip
version 2
network 10.0.0.0
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 100 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
end
R3#
Building configuration...
Current configuration : 1461 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username ccna privilege 15 password 0 ccna
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 12345 address 172.16.1.2
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map test1 1 ipsec-isakmp
set peer 172.16.1.2
set transform-set test
match address 100
!
!
!
!
interface Loopback0
ip address 10.10.2.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
ip address 10.0.0.2 255.255.255.252
serial restart-delay 0
clock rate 64000
crypto map test1
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router rip
version 2
network 10.0.0.0
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 100 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
end
R3#
R1:
R1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: test1, local addr. 172.16.1.2
protected vrf:
local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.2.0/255.255.255.0/0/0)
current_peer: 10.0.0.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.2, remote crypto endpt.: 10.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R1#
interface: FastEthernet0/0
Crypto map tag: test1, local addr. 172.16.1.2
protected vrf:
local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.2.0/255.255.255.0/0/0)
current_peer: 10.0.0.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.2, remote crypto endpt.: 10.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R1#
R3#show crypto ipsec sa
interface: Serial1/1
Crypto map tag: test1, local addr. 10.0.0.2
protected vrf:
local ident (addr/mask/prot/port): (10.10.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
current_peer: 172.16.1.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.2, remote crypto endpt.: 172.16.1.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R3#
interface: Serial1/1
Crypto map tag: test1, local addr. 10.0.0.2
protected vrf:
local ident (addr/mask/prot/port): (10.10.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
current_peer: 172.16.1.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.2, remote crypto endpt.: 172.16.1.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R3#
để kiểm tra quá trình thiết lập IKE
R1#show crypto isakmp sa
dst src state conn-id slot
R1#
dst src state conn-id slot
R1#
và thêm lệnh : show crypto engine connections active
R1#show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
R1#
ID Interface IP-Address State Algorithm Encrypt Decrypt
R1#
Không biết em cấu hình sai ở chổ nào?
Mong các anh chỉ giúp ! :112:
Em là newbie, nếu em post bài không đúng box thì các mod và admin bỏ qua cho em nhé
Comment